ALPINE-CVE-2019-0215

In Apache HTTP Server 2.4 releases 2.4.37 and 2.4.38, a bug in modssl when using per-location client certificate verification with TLSv1.3 allowed a client to bypass configured access control restrictions...

Fedora 29 : httpd (2019-119b14075a)

This update includes the latest upstream release of Apache httpd, version 2.4.39, including multiple bug and security fixes. To see the full list of changes in this release, see: https://www.apache.org/dist/httpd/CHANGES2.4.39 The following security vulnerabilities are addressed : - CVE-2019-0211...

Internet Bug Bounty: CVE-2019-0196: mod_http2 with scoreboard Use-After-Free (Read)

A crafted HTTP2 request can trigger reference to request data from a memory pool after its destruction. This memory is subsequently used as input to an sprintf type function for constructing a string value. This unsafe memory access ultimately means that the r-therequest string is poisoned with...

Apache Httpd < 2.4.41 : mod_rewrite potential open redirect

Redirects configured with modrewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an an unexpected URL within the request URL...

[SECURITY] Fedora 29 Update: mod_http2-1.14.1-1.fc29

The modh2 Apache httpd module implements the HTTP2 protocol h2+h2c on top of libnghttp2 for httpd 2.4 servers...

Apache httpd mod_ssl TLS Renegotiation Denial of Service (CVE-2019-0190)

A denial-of-service vulnerability has been reported in Apache httpd. The vulnerability is due to improper handling of client-initiated renegotiation when using OpenSSL version 1.1.1. A remote attacker could exploit this vulnerability by sending crafted request including performing a TLS...

Security Bulletin: Multiple vulnerabilities in the IBM HTTP Server (CVE-2017-15710, CVE-2017-15715, CVE-2018-1301)

Summary There are multiple vulnerabilities in the IBM HTTP Server used by WebSphere Application Server. Vulnerability Details CVEID: CVE-2018-1301 DESCRIPTION: Apache HTTPD is vulnerable to a denial of service, caused by an out-of-bounds access error after a header size limit has been reached...

Apache httpd mod_md Denial of Service (CVE-2018-8011)

A denial of service vulnerability exists in the Apache httpd modmd. This vulnerability is due to insufficient input validation. Successful exploitation of this vulnerability can lead to denial of service conditions on the target server...

httpd: Improper handling of headers in mod_session can allow a remote user to modify session data for CGI applications

It has been discovered that the modsession module of Apache HTTP Server httpd, through version 2.4.29, has an improper input validation flaw in the way it handles HTTP session headers in some configurations. A remote attacker may influence their content by using a "Session" header...

httpd: Out of bounds write in mod_authnz_ldap when using too small Accept-Language values

In Apache httpd 2.0.23 to 2.0.65, 2.2.0 to 2.2.34, and 2.4.0 to 2.4.29, modauthnzldap, if configured with AuthLDAPCharsetConfig, uses the Accept-Language header value to lookup the right charset encoding when verifying the user's credentials. If the header value is not present in the charset...

[slackware-security] php

New php packages are available for Slackware 14.0, 14.1, 14.2 to fix security issues. A bugfix release for -current is also available. Here are the details from the Slackware 14.2 ChangeLog: patches/packages/php-5.6.40-i586-1slack14.2.txz: Upgraded. Several security bugs have been fixed in this...

CVE-2018-11803

Subversion's moddavsvn Apache HTTPD module versions 1.11.0 and 1.10.0 to 1.10.3 will crash after dereferencing an uninitialized pointer if the client omits the root path in a recursive directory listing operation...

DEBIAN-CVE-2018-11803

Subversion's moddavsvn Apache HTTPD module versions 1.11.0 and 1.10.0 to 1.10.3 will crash after dereferencing an uninitialized pointer if the client omits the root path in a recursive directory listing operation...

Design/Logic Flaw

Subversion's moddavsvn Apache HTTPD module versions 1.11.0 and 1.10.0 to 1.10.3 will crash after dereferencing an uninitialized pointer if the client omits the root path in a recursive directory listing operation...

CVE-2018-11803

Subversion's moddavsvn Apache HTTPD module versions 1.11.0 and 1.10.0 to 1.10.3 will crash after dereferencing an uninitialized pointer if the client omits the root path in a recursive directory listing operation...

CVE-2018-11803

Subversion's moddavsvn Apache HTTPD module versions 1.11.0 and 1.10.0 to 1.10.3 will crash after dereferencing an uninitialized pointer if the client omits the root path in a recursive directory listing operation...

CVE-2018-11803

CVE-2018-11803 affects Subversion’s mod_dav_svn Apache HTTPD module, specifically versions 1.11.0 and 1.10.0 through 1.10.3, where dereferencing an uninitialized pointer when the client omits the root path during a recursive directory listing can crash the server. The vulnerability is documented ...

CVE-2018-11803

Subversion's moddavsvn Apache HTTPD module versions 1.11.0 and 1.10.0 to 1.10.3 will crash after dereferencing an uninitialized pointer if the client omits the root path in a recursive directory listing operation...

Apache Httpd < 2.4.39 : mod_http2, read-after-free on a string compare

Using fuzzed network input, the http/2 request handling could be made to access freed memory in string comparision when determining the method of a request and thus process the request incorrectly...

Apache Httpd < 2.4.39 : mod_http2, possible crash on late upgrade

When HTTP/2 was enabled for a http: host or H2Upgrade was enabled for h2 on a https: host, an Upgrade request from http/1.1 to http/2 that was not the first request on a connection could lead to a misconfiguration and crash. A server that never enabled the h2 protocol or that only enabled it for...